Privacy Policy for Burnr

Depending on how you use Burnr, we may collect the following categories of data.

2.1 Account, sign-in, and authentication data

If you create or use a Burnr account, we may collect:

• Email address
• Password submitted for email/password sign-in or account creation. We do not store your password in plain text; the backend stores password hashes.
• Display name
• Profile photo/avatar URL, if provided through Google Sign-In or your profile
• Google Sign-In email address, Google account subject identifier, Google ID token used for sign-in verification, and linked Google provider record, if you use Google Sign-In
• App-specific Burnr user ID
• Account creation, update, login, last-sync, and account status timestamps
• App-generated device ID used for session management, sync, problem-report rate limiting, and purchase-account binding
• Authentication session records, access tokens on your device, refresh-token hashes on our backend, refresh-session expiry/revocation timestamps, and user-agent information for session security
• Password-reset request data, if you request password reset

We use this data to create and manage your Burnr account, authenticate you, keep you signed in, provide cloud sync, secure your account, prevent abuse, process support and deletion requests, and link premium purchases to the correct Burnr account.

You may also use Burnr without a Burnr account in anonymous/local-only mode. In that case, cloud sync, account deletion, premium verification, and authenticated problem reports are not available.

2.2 Workout, fitness, and app content data

Burnr may collect and store data that you create or save in the App, including:

• Custom workout routines
• HIIT interval timer presets
• Preset names and descriptions
• Basic workout settings, such as warmup, work, rest, cooldown, repeats, transitions, sound, vibration, and voice-countdown settings
• Advanced workout-builder items, phases, circuit names, descriptions, durations, and repeats
• Workout history and completion records, including completion time, total duration, warmup/work/rest/cooldown time, total rounds, and settings used
• Account-scoped app settings, including language, notification schedule, current workout settings, keep-screen-awake preference, and sync metadata
• Local and cloud sync records, including updated timestamps, sync versions, deleted flags, and conflict data

We use this data to provide Burnr's core features, including timers, custom routines, saved presets, workout history, cloud sync, account-scoped settings, and restoring your data across devices.

Burnr does not use your workout routines, workout history, or synced workout content for advertising, credit decisions, insurance decisions, employment decisions, or sale to data brokers.

2.3 Local device data and preferences

Burnr stores some data locally on your device, including:

• App-generated device ID
• Language preference
• First-launch and welcome-dialog state
• Anonymous-mode state
• Reminder schedule
• Keep-screen-awake setting
• Current workout settings
• Pending room invite code, if you open a room invite link
• Ad cooldown timestamp
• Cached premium entitlement state, product ID, and related account-binding value
• Auth session data and tokens needed to keep you signed in
• Local workout presets and workout history

Local workout data is stored in an encrypted SQLite database. Authentication tokens and the local database encryption key are stored using platform secure storage where available.

2.4 Device, app, diagnostics, and crash data

Burnr may collect technical data needed to operate, secure, debug, and improve the App, including:

• App version and build number
• Platform and operating system
• Locale/language setting
• Burnr user ID associated with Crashlytics reports after you sign in
• Crash logs, stack traces, error codes, error operations, error severity, and limited sanitized diagnostic context
• App and SDK diagnostic information, such as failures in sync, auth, update checks, notifications, purchases, or ads
• Approximate technical information such as IP address when communicating with our backend or service providers
• User-agent information for backend session security

Burnr uses Firebase Crashlytics for production crash and error reporting. Crashlytics collection is disabled in non-production/debug builds. Burnr does not currently include Firebase Analytics as a separate first-party analytics SDK, but advertising and crash-reporting SDKs may process the data described in this Policy.

2.5 Ads and advertising data

Burnr may show Google Mobile Ads interstitial ads to non-premium users on Android. Premium users do not receive Burnr's in-app ads.

Burnr does not send your saved workout routines or workout history to Google Mobile Ads for ad targeting. However, the Google Mobile Ads SDK may automatically collect and share data with Google for advertising, analytics, and fraud-prevention purposes, including:

• IP address, which may be used to estimate general location
• Android advertising ID, app set ID, and device/account identifiers
• Ad impressions, ad clicks, app launches, taps, video views, and other product interaction data
• Diagnostic and performance information related to the app and ad SDK

Google processes this data under Google's own terms and privacy policies.

2.6 Purchase data

Burnr currently offers a one-time lifetime premium in-app purchase through Google Play. Payment processing is handled by Google Play.

We do not receive your full payment card details. We may receive or process purchase information made available by Google Play or the Google Play Billing system, including:

• Product ID, currently burnr_premium_lifetime
• Purchase status, including purchased, restored, pending, canceled, refunded, invalid, or inactive states
• Purchase token sent to our backend for server-side Google Play verification
• Keyed hash of the purchase token stored by our backend for entitlement and fraud-prevention purposes
• Order ID, if available
• Obfuscated account ID used to bind a Google Play purchase to the correct Burnr account
• Premium entitlement status and verification timestamp

We use this data to unlock premium features, restore purchases, suppress ads for premium users, verify purchases with Google Play, prevent fraud, provide support, and comply with legal, tax, accounting, or consumer-protection obligations.

2.7 Problem reports, support, contact, and deletion-request data

When you submit an in-app problem report, contact us, or request deletion of your Burnr account, we may collect:

• Name, if you provide it
• Email address
• Burnr account email
• Google Sign-In email, if different
• Message content
• Problem report category, summary, and description
• App version, build number, platform, locale, screen name, premium-active flag, and a hashed device fingerprint for abuse control
• Information needed to verify that a deletion request belongs to the account owner
• Records of our response to your request

In-app problem reports require sign-in so we can reduce spam, rate-limit submissions, and associate the report with the correct Burnr account.

2.8 Website data

If you visit our website pages related to Burnr, including the privacy policy page or account-deletion page, our website or hosting providers may process basic technical data such as IP address, browser type, device information, pages visited, cookie-related information, and form submission data.

We use this data to operate the website, protect it from abuse, maintain security, and handle your requests.

Burnr does not intentionally collect the following data unless a future version of the App clearly asks for permission and this Privacy Policy is updated before such collection begins:

• Precise GPS location
• Contacts
• SMS or call logs
• Camera recordings
• Microphone recordings
• Photos or videos from your device library
• Health Connect data
• Body sensor data such as heart rate, SpO2, or skin temperature
• Government identification numbers
• Full payment card numbers

Burnr also does not request structured body measurements such as weight, body fat, height, calories consumed, or medical conditions. If you voluntarily type sensitive information into a workout name, workout description, problem report, or support message, that information may be stored as part of that user-provided content.

If Burnr requests access to any sensitive Android permission in the future, the App will request permission through Android's runtime permission system where required and will explain why the data is needed.

We use the data described above for the following purposes:

• To provide Burnr and its core timer, routine, preset, reminder, and workout-history features
• To create, authenticate, and manage Burnr accounts
• To save, sync, and restore workout routines, timer presets, workout history, and app settings
• To provide anonymous/local-only mode
• To provide customer support and in-app problem reporting
• To process account-deletion and data-deletion requests
• To verify Google Play purchases and restore premium entitlement
• To unlock paid features and remove ads for premium users
• To show ads to non-premium users
• To send service-related messages, such as account, password-reset, security, support, or purchase-related messages
• To provide local workout reminders and scheduled notifications
• To improve app stability, performance, security, and usability
• To detect, prevent, and investigate fraud, abuse, security incidents, purchase misuse, spam, and technical issues
• To comply with applicable legal, tax, accounting, consumer-protection, and regulatory obligations
• To establish, exercise, or defend legal claims

For users in the European Economic Area, the United Kingdom, or other regions with similar data-protection laws, we process personal data using the following legal bases:

• Contract performance: when data is needed to provide Burnr, account features, cloud sync, local and cloud workout features, purchases, premium entitlement, and support.
• Consent: when you give consent, such as when using optional features, granting optional permissions, or choosing Google Sign-In.
• Legitimate interests: when we process data to secure the App, prevent abuse, verify purchases, maintain service reliability, debug issues, improve functionality, show ads to non-premium users where permitted, and respond to support requests, provided those interests are not overridden by your rights.
• Legal obligations: when processing is required for tax, accounting, consumer protection, regulatory, or legal compliance.

We do not sell personal data.

We may share data only as necessary with the following categories of recipients.

6.1 Google services

Burnr uses or may interact with Google services, including:

• Google Play and Google Play Services for app distribution, app updates, and platform services
• Google Sign-In for optional sign-in
• Google Play Billing for the lifetime premium purchase
• Google Android Publisher API for server-side purchase verification and acknowledgement
• Google Mobile Ads / AdMob for ads shown to non-premium users
• Firebase Core and Firebase Crashlytics for production crash and diagnostic reporting

Google services may process data for purposes such as authentication, app distribution, purchase processing, crash reporting, advertising, analytics related to ads, fraud prevention, app security, and service operation. Google Play purchases and payments are handled by Google under Google's own terms and privacy policies.

6.2 Hosting, infrastructure, email, forms, and technical service providers

We may use trusted service providers to host the Burnr backend, website, databases, account systems, email delivery, deletion-request forms, support systems, diagnostics, crash reporting, ads, and cloud sync services.

These providers process data on our behalf where applicable and are permitted to use the data only for the services they provide to us, unless they act as independent controllers under their own privacy terms.

6.3 Legal, safety, and business purposes

We may disclose data if necessary to:

• Comply with applicable law, regulation, legal process, or government request
• Protect the rights, property, or safety of users, us, or others
• Detect, prevent, or investigate fraud, abuse, security issues, or purchase misuse
• Enforce our terms
• Handle a merger, acquisition, restructuring, or transfer of business assets, with appropriate safeguards and notice where required

We are based in Poland. Some service providers may process data outside Poland or outside the European Economic Area.

When personal data is transferred internationally, we use appropriate safeguards where required, such as adequacy decisions, Standard Contractual Clauses, data-processing agreements, or other lawful transfer mechanisms.

We use technical and organizational measures designed to protect personal data and app data, including:

• HTTPS/TLS for communication with the Burnr backend and supported service providers
• Local SQLCipher encryption for Burnr workout database storage
• Platform secure storage for authentication tokens and the local database encryption key where available
• Password hashing for email/password accounts
• Refresh-token hashing on the backend
• Keyed hashing of Google Play purchase tokens before backend retention
• Access controls for systems that process user data
• Authentication and authorization controls for account-scoped backend APIs
• Limiting access to data to people and service providers who need it
• Sanitized production error reporting that avoids intentionally sending raw sensitive exception text
• Monitoring and debugging to detect errors, abuse, and security issues
• Backup and recovery procedures

No method of transmission or storage is completely secure, but we work to protect your data using reasonable safeguards.

We keep data only for as long as needed for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

In general:

• Burnr account data is retained while your account remains active.
• Cloud-synced workout presets, workout history, and account-scoped app settings are retained while your account remains active or until you delete them or request account deletion.
• Local-only workout data and preferences remain on your device until you delete them in the App where available, clear the App's data, or uninstall the App.
• Authentication and refresh session records are retained while needed to keep you signed in, secure the App, rotate or revoke sessions, or investigate abuse.
• Problem reports and support/deletion-request records may be retained for a reasonable period to document our response, debug issues, prevent abuse, and comply with legal obligations.
• Purchase and premium entitlement records may be retained as needed for entitlement management, fraud prevention, support, tax, accounting, consumer protection, or legal obligations.
• Crash logs and diagnostic data are retained for the limited period needed to debug, improve, and secure the App, subject to Firebase/Google retention controls where applicable.
• Advertising data processed by Google Mobile Ads is retained according to Google's applicable terms and privacy policies.
• Backup copies may remain for a short technical retention period before being overwritten or deleted.

If you have a Burnr account, you may request deletion of your Burnr account and associated cloud data.

In the App, signed-in users can go to Settings and choose "Delete account and data". Burnr opens the external deletion request form in your browser.

You can also request deletion through the Burnr account-deletion page:

https://codeflowsolutions.pl/burnr/delete-account

You may also contact us by email:

kwapiszewski.mateusz@codeflowsolutions.pl

When requesting deletion, please include the email address used for your Burnr account. If you used Google Sign-In, include the Google email address used in Burnr.

After we verify that the request belongs to the account owner, we will delete or anonymize the Burnr account data associated with the account, including:

• Burnr account profile data, such as email address, display name, avatar URL, and linked sign-in identifiers
• Server-side authentication records and active refresh sessions
• Cloud-synced workout presets
• Cloud-synced workout history and completion records
• Cloud-stored app settings connected with the account
• Backend premium entitlement records where deletion is not restricted by fraud-prevention, accounting, tax, consumer-protection, dispute-resolution, or legal obligations
• Problem reports and support records where deletion is not restricted by security, fraud-prevention, support, dispute-resolution, or legal obligations

We aim to process verified deletion requests within 30 days.

Some data may be retained where necessary for legal, tax, accounting, fraud-prevention, security, purchase-verification, dispute-resolution, or compliance reasons. Residual backup copies may also remain for a limited technical retention period before being overwritten.

Deleting your Burnr account does not delete your Google account, Google Play transaction history, or data that Google has processed as an independent controller for Google Play, Google Sign-In, Google Mobile Ads, Firebase, or related Google services. Google Play purchase and payment records are handled by Google.

Deleting your Burnr account also does not automatically remove local-only data stored on your device. You can remove local device data by using available in-app delete controls, clearing the App's storage through your device settings, or uninstalling the App.

Depending on your location and applicable law, you may have the right to:

• Access your personal data
• Correct inaccurate personal data
• Delete your personal data
• Restrict processing
• Object to processing
• Receive a copy of your data in a portable format
• Withdraw consent where processing is based on consent
• Lodge a complaint with a data-protection authority

To exercise your rights, contact us at:

kwapiszewski.mateusz@codeflowsolutions.pl

If you are in Poland or the European Union, you may lodge a complaint with the Polish data-protection authority:

https://uodo.gov.pl

Burnr is not directed to children under 16 years of age.

We do not knowingly collect personal data from children under 16. If you believe that a child has provided personal data to us, contact us and we will take appropriate steps to delete the data where required.

Burnr requests only permissions needed to provide its features. On Android, Burnr may request or use permissions for:

• Internet and network state, to access the Burnr backend, Google services, ads, purchases, and updates
• Vibration, to provide workout haptic feedback
• Notifications and exact alarms, to schedule workout reminders
• Opening web links, including account deletion and room invite links

If Burnr needs access to sensitive data or Android permissions in the future, the App will request permission through the Android permission system where required. If the collection or use of personal or sensitive data is not reasonably expected by the user, Burnr will provide an in-app disclosure explaining what data is collected, why it is collected, and how it is used or shared before collection begins.

We may update this Privacy Policy from time to time.

When we update it, we will change the "Last updated" date above. If the changes are material, we may provide additional notice in the App, on our website, or by other appropriate means.

For privacy questions, data requests, account-deletion requests, or other inquiries, contact: